ESET Secure Authentication · · The ESA RADIUS Server adds 2FA to VPN ... · Windows Server 2008...

ESETSecureAuthentication

Product Manual(intended for product version 2.7)

Click here to navigate to the online version of product documentation

https://help.eset.com/esa/27/en-US/

ESET SECURE AUTHENTICATION

Copyright 2018 by ESET, spol. s r.o.ESET Secure Authentication was developed by ESET, spol . s r.o.For more information vis i t www.eset.com.Al l rights reserved. No part of this documentation may be reproduced, s tored in aretrieva l system or transmitted in any form or by any means , electronic, mechanica l ,photocopying, recording, scanning, or otherwise without permiss ion in wri ting fromthe author.ESET, spol . s r.o. reserves the right to change any of the described appl ication softwarewithout prior notice.

Customer Care: www.eset.com/support

REV. 6/7/2018

Contents

.......................................................5Overview1.

.......................................................6Requirements2.

..........................................................................................6Supported Operating Systems2.1

..........................................................................................7Supported Web Browsers andResolution

2.2

..........................................................................................7Supported Web Applications2.3

..........................................................................................8Supported Mobile Phone OperatingSystems

2.4

..........................................................................................8Installation Requirements2.5

..........................................................................................10Supported Active DirectoryEnvironments

2.6

..........................................................................................11Firewall exceptions2.7

..........................................................................................11Policies2.8

.......................................................12Installation3.

..........................................................................................12Installation of Authentication Server3.1

..........................................................................................15Installation of the Remote Desktopplugin

3.2

..........................................................................................16Installation of the Web App plugin3.3

..........................................................................................18Installation of Windows Login plugin3.4

..........................................................................................19Change, repair, remove installation3.5

..........................................................................................20Installation of Windows Login and RDPprotection via GPO

3.6

..............................................................................22Startup script3.6.1

..............................................................................24Software Installation task3.6.2

..............................................................................30MSI arguments3.6.3

..........................................................................................30Upgrade installation3.7..............................................................................32Compatibility3.7.1

.......................................................33Using reverse proxy4.

.......................................................34Getting started with ESET SecureAuthentication Web Console

5.

..........................................................................................35Activate ESET Secure Authentication5.1

..........................................................................................36User Management - Provisioning5.2..............................................................................39User Status5.2.1

..............................................................................41Synchronizing with LDAP5.2.2

..............................................................................43Import users from file5.2.3

..........................................................................................44Invitations5.3

..........................................................................................45Use domain authentication5.4

.......................................................47Authentication options6.

..........................................................................................47Mobile Application6.1

..........................................................................................48Push Authentication6.2

..........................................................................................52Custom delivery options6.3

..........................................................................................56Hard Tokens6.4

.......................................................59Windows Login Protection7.

..........................................................................................61Master recovery key7.1

.......................................................63VPN Protection8.

..........................................................................................63Configuration8.1

..........................................................................................65Usage8.2

..........................................................................................65VPN Authentication Options8.3..............................................................................65SMS-based OTPs8.3.1

..............................................................................66On-demand SMS-based OTPs8.3.2

..............................................................................66Mobile Application8.3.3

..............................................................................67Hard Tokens8.3.4

..............................................................................67Migration from SMS-Based OTPs to MobileApplication

8.3.5

..............................................................................67Non-2FA Pass-through8.3.6

..............................................................................67Access Control Using Group Membership8.3.7

..........................................................................................67ESA Authentication Methods and PPPCompatibility

8.4

.......................................................69RADIUS PAM modules on Linux/Mac9.

..........................................................................................69Mac OS - configuration9.1

..........................................................................................72Linux - configuration9.2

..........................................................................................75Other RADIUS configurations9.3

.......................................................80Web Application Protection10.

..........................................................................................80Configuration10.1

..........................................................................................80Usage10.2

.......................................................83Remote Desktop Protection11.

..........................................................................................83Configuration in an Active Directoryenvironment

11.1

..........................................................................................84Allowing Non-2FA Users11.2

..........................................................................................84Usage11.3

..........................................................................................85Remote Desktop Web Access11.4

.......................................................87IP address whitelisting12.

.......................................................88AD FS13.

.......................................................91API14.

..........................................................................................91Integration Overview14.1

..........................................................................................92Configuration14.2

..........................................................................................93Replacing the SSL Certificate14.3

.......................................................95Auditing and Licensing15.

..........................................................................................95Auditing15.1

..........................................................................................95License Overview15.2

..........................................................................................95License States15.3

..........................................................................................96License Enforcement15.4

.......................................................97High Availability View16.

.......................................................98Troubleshooting17.

.......................................................99Glossary18.

5

1. OverviewESET Secure Authentication (ESA) adds Two Factor Authentication (2FA) to Microsoft Active Directory domains or local area network, that is, an one-time password (OTP) is generated and has to be supplied along the generallyrequired username and password, or a push notification is generated and has to be approved on the user's cellphone running Android OS, iOS or Windows once the user has successfully authenticated using their general accesscredentials.

Push notifications require Android 4.0.3 and later along with Google Play services 10.2.6 and later, or iOS.

The ESA product consists of the following components:

· The ESA Web Application plug-in provides 2FA to various Microsoft Web Applications.

· The ESA Remote Desktop plug-in provides 2FA for the Remote Desktop Protocol.

· The ESA Windows Login plug-in provides 2FA for Windows computers.

· The ESA RADIUS Server adds 2FA to VPN authentication.

· The ESA Authentication Service includes a REST-based API that can be used to add 2FA to custom applications.

· ESA Management Tools:

o ESA installed in an Active Directory environment:

§ ESA User Management plug-in for Active Directory Users and Computers (ADUC) is used to manage users.

§ ESA Management Console, titled as ESET Secure Authentication Settings, is used to configure ESA.

2FA enabled for Domain Admin user

If a Domain Admin user has 2FA enabled during their ESA 2.7.x upgrade, access to the ActiveDirectory Users and Computers > ESET Secure Authentication screen and ESA Management Consolewill be removed. The ESA Web Console must be used instead.

Alternatively, disable 2FA for the Domain Admin user, or create another user with 2FA disabled andadd the user to the ESA Admins group.

§ ESA Web Console, an all-in-one management tool, can also be used to configure ESET Secure Authenticationand manage users.

o ESA installed in standalone mode:

§ ESA Web Console, an all-in-one management tool, is used to configure ESET Secure Authentication andmanage users.

If ESA is installed in an Active Directory environment, it stores data in the Active Directory data store. Since ESA datais automatically included in your Active Directory backups, there is no need for additional backup policies.

6

2. RequirementsAn Active Directory domain or local area network is required to Install ESET Secure Authentication (ESA). Theminimum supported functional level for an Active Directory domain is Windows 2000 Native. Only Windows DNS issupported.

If you use a custom DNS in your Active Directory environment, you must create an SRV record in your DNS prior toinstalling the Authentication Server using the following details:

· Type: SRV

· Name: _esetsecauth

· Protocol: _tcp

· Port number: Use the one you configure for Domain port during installation of Authentication Server. DefaultDomain port number is 8000.

· Host: <hostname>:<domain>. If ESA's prerequisite check regarding Active Directory DNS fails, the correctname will display.

Verify the availability of an SRV record by running the following command from a windows computer within yourActive Directory environment:

nslookup -type=SRV _esetsecauth._tcp

At least one instance of Authentication Server is essential in your domain/network, select it during first installationof ESA on your server (main computer). Should you select a component that cannot be installed, the installer willinform you of the exact prerequisites that are outstanding.

2.1 Supported Operating Systems

ESET Secure Authentication Services and Management Tools have been tested and are supported on the followingoperating systems:

Server operating systems (SOS)

· Windows Server 2008

· Windows Server 2008 R2


· Windows Server 2012 R2

· Windows Small Business Server 2008

· Windows Small Business Server 2011

· Windows Server 2012 Essentials

· Windows Server 2012 R2 Essentials


· Windows Server 2016 Essentials

Client operating systems (COS)

· Windows 7

7

· Windows 8

· Windows 8.1

· Windows 10 (including Fall Creators Update / Redstone 3)

The Management Tools are also supported on client operating systems from Windows 7.

RADIUS Server on Windows Small Business Server

When you install a RADIUS Server on Windows Small Business Server 2008 or 2011, the default NPS portmust be changed from 1812 to 1645. Verify that there are no processes listening on port 1812 beforeinstalling ESA by running the following command: C:\> netstat -a -p udp | more

2.2 Supported Web Browsers and Resolution

ESET Secure Authentication version 2.7 introduces a new, web-based management tool, Web Console.

ESA Web Console works best in the following browsers:

Microsoft Internet Explorer 11

Google Chrome latest

Mozilla FireFox latest

Microsoft Edge latest

Safari latest

Domain authentication is not supported in Safari.

Minimum resolution required is 1024x768.

2.3 Supported Web Applications

ESET Secure Authentication provides 2FA for the following Microsoft products:

· Microsoft Exchange 2007

o Outlook Web Access - Exchange Client Access Server (CAS)


o Outlook Web Access - Exchange Client Access Server (CAS)

o Exchange Control Panel


o Outlook Web App - Exchange Mailbox Server Role (MBX)

o Exchange Admin Center


o Outlook Web App - Exchange Mailbox Server Role (MBX)

o Exchange Admin Center

8

ESA adds 2FA protection only to web-based interface of Outlook Web Access. Login to Microsoft Outlookand similar email clients cannot be protected by ESA, due to the nature of their protocol, also known asRPC over HTTPS. We recommend not to expose such email clients to external access. See how to controlaccess to Exchange Web Services: https://msdn.microsoft.com/en-us/library/office/dn467892(v=exchg.150).aspx

· Microsoft Dynamics CRM 2011




· Microsoft SharePoint 2010



· Microsoft SharePoint Foundation 2010

· Microsoft SharePoint Foundation 2013

· Microsoft Remote Desktop Web Access

· Microsoft Terminal Services Web Access

· Microsoft Remote Web Access

2.4 Supported Mobile Phone Operating Systems

The ESET Secure Authentication Mobile app is compatible with the following mobile phone operating systems:

· iOS 8 to iOS 11

· Android™ 4.0.3 to Android 8.0 - Google Play Services 10.2.6 are required for both push notifications andprovisioning

· Windows Phone 8.1 to Windows 10 Mobile

2.5 Installation Requirements

Secure installation requires outbound connectivity to esa.eset.com on TCP port 443. If installing in an ActiveDirectory environment, the installer must be run by a member of the "Domain Administrators" security group,otherwise a user with administrator privileges is required. Another requirement for running the installer is .NETFramework Version 4.5 (Full Install). The installer will automatically attempt to install .NET 4.5 if it is not alreadyinstalled.

ESA supports the installation of components in a distributed environment, with all components installed oncomputers that are joined to the same Windows domain.

Windows Firewall exceptions essential for the proper function of ESET Secure Authentication will be addedautomatically as part of installation. If you use a different firewall solution, see Firewall exceptions for informationabout important exceptions that you will need to create.

The prerequisites for the installation of each component are:

· Authentication Service:

https://msdn.microsoft.com/en-us/library/office/dn467892(v=exchg.150).aspx

https://msdn.microsoft.com/en-us/library/office/dn467892(v=exchg.150).aspx

9

o Windows Server 2008 or later SOS in the list of Supported Operating Systems

o If installing in an Active Directory environment, the installer must be run as a user who is a member of the"Schema Admins" security group the first time an Authentication Service is installed on the domain.

· Management Tools:

o Windows7 or later COS in the list of Supported Operating Systems, Windows Server 2008 or later SOS in the listof Supported Operating Systems

o .NET Framework version 3.5

o Windows Remote Server Administration Tools, Active Directory Domain Services component (RSAT AD DS)

RSAT was previously known as the Remote Administration Pack (adminpack) and is downloadable fromMicrosoft. In Windows Server 2008 and later, this component may be installed from the “Add Feature”wizard in the Server Manager. All Domain Controllers already have these components installed.

· RADIUS Server:

o Windows Server 2008 or later SOS in the list of Supported Operating Systems

· Web App Plug-in for Microsoft Exchange Server:

o Microsoft Exchange Server 2007 or later (64-bit only), with the Client Access role (Outlook Web App / OutlookWeb Access) installed


o Internet Information Services 7 (IIS7) or later

· Web App Plug-in for Microsoft SharePoint Server:

o Microsoft SharePoint Server 2010 or 2013 (64-bit only)


· Web App Plug-in for Microsoft Dynamics CRM:

o Microsoft Dynamics CRM 2011, 2013 or 2015


· Web App Plug-in for Microsoft Terminal Services Web Access:

o The Terminal Services role with the Terminal Services role service installed on Windows Server 2008


· Web App Plug-in for Microsoft Remote Desktop Services Web Access:

o The Remote Desktop Services role with the Remote Desktop Web Access role service installed on WindowsServer 2008 R2 and later SOS in the list of Supported Operating Systems


· Web App Plug-in for Microsoft Remote Web Access:

o The Remote Web Access role service installed on Windows SBS 2008 where it is called Remote Web Access, Windows SBS 2011, Windows Server 2012 Essentials and Windows Server 2012 Essentials R2


· Remote Desktop Protection:

o Windows Server 2008 R2 or later SOS in the list of Supported Operating Systems

o Microsoft Windows 7 or later COS in the list of Supported Operating Systems

10

o Only 64-bit operating systems are supported

· Windows login protection:

o Windows Server 2008 R2 or later SOS in the list of Supported Operating Systems

o Windows 7 or later COS in the list of Supported Operating Systems

· ADFS 3.0 or 4.0 protection:

o Windows Server 2012 R2

.NET Requirements:

· All components: .NET 4.5 Full Install

· Core Server: .NET 4.5 Full Install

· RADIUS Server: .NET 4.5 Full Install

· Management Tools: .NET 3.5 (4 on Windows Server 2012)

· Web App Plugin: .NET 4.5, however, IIS Filters require .Net version 3.5

Installing ESA Core (Authentication Server) and RADIUS Server on a COS in the list of SupportedOperating Systems might not be aligned with Microsoft's licensing policy. Consult Microsoft's licensingpolicy or your software supplier for details. Moreover, a COS may present other limitations (for instancenumber of maximum concurrent TCP connections) compared to a SOS.

2.6 Supported Active Directory Environments

ESET Secure Authentication supports either single domain or multiple domain Active Directory environments. Thedifferences between these environments and their installation requirements are detailed below.

Single Domain, Single Forest

This is the simplest configuration, and the installer may be run as any Domain Admin. ESET Secure Authentication isavailable to all users within the domain.

Multiple Domain, Single Forest

In this deployment, a parent domain such as example.corp has multiple sub-domains such asbranch1.example.corp and branch2.example.corp. ESET Secure Authentication may be deployed onany of the domains in the forest, but there is no cross-communication between the installations. Each installationwill require it's own ESET Secure Authentication license.

In order to install ESET Secure Authentication on a sub-domain, the installer must be launched as a Domain Adminuser from the top level domain.

For example, using the example domains defined previously:

To install ESET Secure Authentication on server01.branch1.example.corp, log on to server01 as theexample.corp\Administrator user (or any other Admin from example.corp). After installation, ESETSecure Authentication will be available to any user within the branch1.example.corp domain.

Multiple Domain, Multiple Forest

This is identical to the previous environment, in that ESET Secure Authentication installations on separate forestsare not aware of each other.

11

2.7 Firewall exceptions

Windows Firewall exceptions essential for the proper function of ESET Secure Authentication will be addedautomatically as part of installation. If you use a different firewall, the following exceptions must be defined in thatfirewall manually:

Exception Name: ESET Secure Authentication Core Service

Scope: AnyProtocol: TCPLocal Port: 8000Remote Ports: All

Exception Name: ESET Secure Authentication API

Scope: AnyProtocol: TCPLocal Port: 8001Remote Ports: All

Exception Name: ESET Secure Authentication RADIUS Service

Scope: AnyProtocol: UDPLocal Port: 1812Remote Ports: All

Exception Name: ESET Secure Authentication RADIUS Service (Alternative Port)

Scope: AnyProtocol: UDPLocal Port: 1645Remote Ports: All

2.8 Policies

During installation ESA adds ESA_<computer name> user to the Log on as a service entity found at Local SecurityPolicies > Local Policies > User Rights Assignments, while the <computer name> is replaced with the the name of thecomputer where ESA is being installed. This is essential to run the ESET Secure Authentication Service service that isstarted automatically when the operating system starts.

If you use Group Policy and you have the Log on as service defined there (Group Policy Management > <Forest> >Domains > <domain> > Default Domain Policy > Settings > Computer Configuration > Policies > Windows Settins >Security Settings > Local Policies), then you must add the ESA_<computer name> user to the Log on as a serviceentity there or not have the Log on as a service defined there at all.

To find the name of the computer where you are installing ESA:

o Press the Windows key and E simultaneously so that the File Explorer shows up

o In the right pane right-click This PC or Computer and select Properties.

A new window will display the Computer name.

12

3. InstallationAll of the following components are required for your first ESA installation:

· At least one instance of the Authentication Server

· At least one of the authentication endpoints (API, Windows Login, Web Application, Remote Desktop, orRADIUS)

All the components may be installed on a single machine, or they may be installed across multiple machines in adistributed environment, except for ESA Web Console, which is part of the Authentication Server. As is the casewith distributed systems, there are many possible installation scenarios.

You do not have to install ESA Authentication Server on the domain controller specifically, it can be installed on anyother machine within your Active Directory network.

The example below illustrates a generic installation scenario in an Active Directory environment; however, thisexample can serve as a basic guide for other deployment scenarios. The example installation consists of twosequences—after completing both, your deployment will correspond with the figure below.

3.1 Installation of Authentication Server

1. Run the supplied .exe file to start installation of Authentication Server on the machine that is about to host theESA Authentication Service. The .NET Framework version 4.5 will be installed automatically if it is not detected.

2. Select deployment type

a. Active Directory Integration - This type of deployment is suitable for customers running a Windows domainnetwork. They are not limited to protect with 2FA computers belonging to their Windows domain only, butthey can invite computers from outside their network also, as long as the the Authentication Server isavailable online.

b. Standalone - Suitable for customers not using a Windows domain. They can invite computers from their localnetwork and other networks also. ESA related services run under SYSTEM user.

13

A number of prerequisite checks will be performed to ensure that the domain or installation environment is healthyand that ESA can be installed. Any failures must be corrected before installation can proceed. Installation willcontinue when all prerequisites are successfully completed.

If the Next button is not available for more than 5 seconds, wait or scroll down to see which requirements arestill being checked.

14

3. When prompted, make sure that Authentication Server component is selected, as per the figure below. If ActiveDirectory Integration type of deployment was selected initially, then both Authentication Server andManagement Tools (Microsoft Management Console for ESA) will be selected automatically.

If port number 8000 (Active Directory Integration only) or 8001 is already in use on your network, select a differentport for ESA Web Console. If you prefer to use a transparent proxy, select Use proxy and type in the correspondingvalues. Click Next. Port number 8001 is also used for API.

Set the Username and Password. Click Next.

15

The subsequent Check prerequisites screen will reveal if the selected port(s) is (are) available.

4. Go through the remainder of the steps as prompted by the installer and close the installer when complete.

5. Use ESA Web Console to configure your installation of ESET Secure Authentication and related components,users.

3.2 Installation of the Remote Desktop plugin

1. To start installation, on the appropriate Remote Desktop Access machine, run the supplied .exe file. The installerwill run a number of prerequisite checks as was done during the Installation of Authentication Server.

2. When prompted, select the check box next to Remote Desktop and click Next.

3. Enter the the connection information of Authentication Server when prompted. Click Next.

16

If the connection to Authentication Server is successful, and the server certificate has been verified, selectcheckbox Add certificate with this thumbprint to machine store if available. Click Next.

Prerequisite checks will run to verify the ESA Remote Desktop plug-in can be installed. Any failuresmust be corrected before installation can proceed.


3.3 Installation of the Web App plugin

1. To start installation, on the appropriate machine running the Web App, run the supplied .exe file. The installerwill run a number of prerequisite checks as was done during the Installation of Authentication Server.

2. When prompted, select the check box next to the applicable Web App and click Next.


17


Prerequisite checks will be run to ensure that the Web App is running on the server and that the ESAWeb App plugin can be installed. Any failures must be corrected before the installation can proceed.


MSI installer

When using the .msi installer to install 2FA protection for Microsoft SharePoint Server, RemoteDesktop Web Access, or Microsoft Dynamics CRM, run the installer with elevated privileges.

18

3.4 Installation of Windows Login plugin

1. To install the ESA Windows Login plug-in, on the applicable machine, run the supplied .exe file. The .NETFramework version 4.5 is installed automatically if it is not detected.

2. When prompted, click Select components, select the check box next to Windows Login and then click Next.




19

3.5 Change, repair, remove installation

1. In the Windows Control Panel, click Programs > Programs and Features, select ESET Secure Authentication andthen click Change.

To install new components or remove existing components, click Change or Remove.

20

Go through the remainder of the steps as prompted by the installer and close the installer when complete.

Removal of Authentication Server

To uninstall ESA core, in the Additional configuration screen, select the check box next to Remove all program anduser data including product configuration. This option is not available if ESA core is not the last component in theActive Directory domain you are preparing to uninstall or you do not have Domain Admin uninstall privileges.

If you do not want to install ESET Secure Authentication again on this machine, or you want to use this machine for adifferent ESET Secure Authentication Active Directory domain, select the check box next to Remove all program anduser data including product configuration. This option is available as a AUTHENTICATION_SERVER_CLEAN_DATAparameter when executing a silent uninstall via .msi package:

msiexec /x ESA.msi /qn AUTHENTICATION_SERVER_CLEAN_DATA=1

If ESA core was installed on a sub-domain using Domain Admin privileges, you will not be able toperform a complete uninstall using sub-domain admin privileges.

3.6 Installation of Windows Login and RDP protection via GPO

Applies to Active Directory Integration deployment type only.

Prerequisites

q Server (or main computer) where the Authentication Server of ESET Secure Authentication (ESA) is installed:

· must belong to the same Active Directory (AD) domain as the the client computer(s), where Windows loginprotection and RDP protection will be installed

· Microsoft Group Policy Management Console (GPMC) must be installed on your server. Click here forinstructions to install GPMC.

· The computer you will install Windows login protection on, must be added to EsaServices through ActiveDirectory Users and Computers.

q Client computer(s):

· .NET Framework 4.5 or higher version must be installed on the client computer.

http://download.eset.com/manuals/eset_esa_product_manual_enu.pdf

https://technet.microsoft.com/en-us/library/cc725932.aspx


https://www.microsoft.com/en-us/download/details.aspx?id=42642

21

· Active Directory membership - the computer must belong to the same AD domain as your server (maincomputer) where the Authentication Server of ESA is installed.

· Domain Admin privileges - the installer must be run by a member of the "Domain Administrators" securitygroup.

· Windows 7 / Windows Server 2008 R2 or later - the computer must be running Windows 7 (or later) orWindows Server 2008 R2 (or later).

q Additionally, for RDP protection:

· Remote Desktop connection must be enabled on the particular computer (Start > Control Panel > SystemProperties > Remote tab).

Adding a computer to EsaServices

1. Open Active Directory Users and Computers management tool.

2. Click View > Advanced Features.

3. Navigate to <your_active_directory_domain> > ESET Secure Authenitcation, right-click EsaServices, selectProperties.

4. Click Members tab > Add... > Object Types > select Computers > OK.

5. Type the name of computer you wish to install Windows login proteciton on to the Enter the object names toselect field > click Check Names to make sure the computer name is correct.

6. If the computer name is correct click OK, click OK again.

Obtaining the .msi installation file

If ESA Authentication Server is installed using the .exe installer, then .msi installers are automatically created in "C:\Program Files\ESET Secure Authentication\msi\".

Alternatively, obtain the installer following the steps below:

1. Download the .exe installer for ESA from https://www.eset.com/us/products/secure-authentication/

2. Extract the .msi installation file (named ESET Secure Authentication x64.msi or ESET Secure Authenticationx86.msi) from the downloaded .exe file

3. Upload the obtained .msi installation file to a shared folder of your server (main computer) that is accessiblefrom members of your AD domain.

Proceed with one of the deployment options below:

· Startup script

· Software Installation task

The MSI installer is also available in the ESET Remote Administrator repository.

http://www.eset.com/int/business/access-protection/two-factor-authentication/

https://www.eset.com/us/support/download/business/remote-administrator-6/

22

3.6.1 Startup script

Prepare a startup script (.bat file) with the essential parameters

1. Press the windows key + R key, type notepad.exe into the Run dialog box and then press Enter.

2. When notepad opens, enter the following code:

msiexec /i "<path_to_msi_file>" NO_DOMAIN_ADMIN_MODE=1ADDLOCAL="Credential_Provider,Win_Credential_Provider" /qn /L*v "c:\esa_install_log.txt"

where the <path_to_msi_file> must be replaced with a valid Universal Naming Convention (UNC) path(network path) to the shared installer package (for example, \\fileserver\share\filename.msi). The code must beentered in a single line.

Credential_Provider stands for RDP login protection, Win_Credential_Providerstands for Windows Login protection. See MSI arguments for more information.

3. In Notepad, click File > Save As, select All Files from the Save as type drop-down menu and enter: esainstall.batas the file name.

Deployment of startup script

1. Open Group Policy Management, locate your domain, right-click the desired group policy and then select Edit.

In Group Policy Management Editor, under your domain policy expand Computer Configuration > Policies >Windows Settings, right-click Startup and select Properties.

23

Click Add... > Browse... and browse for the esainstall.bat file uploaded to the shared folder of your AD domain, clickOpen and then click OK.

2. Click OK to apply the changes and close the Startup Properties window.

24

3.6.2 Software Installation task

Prior to creating a Software Installation task via GPO, it is essential to create an .mst transform file.

Prerequsite

· The Orca database editor tool must be installed on your computer. Orca is available as part of the WindowsSDK. For instructions to download and install Orca, visit the following Microsoft Knowledge Base article: Howto use the Orca database editor to edit Windows Installer files.

Creating an .mst transform file

1. Click Start > All Programs > Orca to launch Orca database editor.

2. Click File > Open, navigate to the .msi installer file that you want to apply the transformation file to, select itand then click Open.

3. Click Transform > New Transform.

Select Features in the Tables column, select Windows Login and change the Level to 1. Then select RemoteDesktop and change the Level to 1.

https://support.microsoft.com/kb/255905/en-us

https://support.microsoft.com/kb/255905/en-us

25

All changes are marked in green.

5. Select Property in the Tables column, right-click an empty row and select Add row.

In the Add Row dialog window type NO_DOMAIN_ADMIN_MODE into the Property field, set the Value field to 1and click OK.

26

Click Transform > Generate Transform...

27

Create a Software Installation task via GPO

The steps below are demonstrated in Microsoft Server 2012 R2.

1. Open Group Policy Management > locate your domain > right-click Default Domain Policy or a custom policyyou created and then select Edit.

28

In Group Policy Management Editor, under your domain policy expand Computer Configuration > Policies >Software Settings.

3. Right-click Software installation, select New > Package and navigate to the location where the ESA installer.msi is saved. Type the full Universal Naming Convention (UNC) path of the shared installer package (forexample, \\fileserver\share\filename.msi), and click Open.

Select Advanced and click OK.

5. Select the Modifications tab and click Add...

29

Navigate to the ESA installer transform file (in the same location you referenced in step 3), enter the UNC pathof the .mst file (for example, \\fileserver\share\filename.mst) and click Open.

7. Click OK. The package will be displayed in the Group Policy Management Editor.

30

The package will be installed to all client computers the edited group policy applies to.

See Microsoft Knowledgebase how to use Group Policy to install software remotely in Windows Server 2003 and2008.

3.6.3 MSI arguments

When using the .msi installer either as a Logon script or Installation task, several arguments can be used.

· To specify components to be installed, the ADDLOCAL argument is used. Possible values include the following: Credential_Provider = Remote Desktop protection componentWin_Credential_Provider = Windows Login protection componentRadius_ServerWeb_Exchange, Web_SharePoint, Web_RemoteDesktop, Web_Dynamics, Web_RemoteAccessManagement_Tools = Management consoleADFS3Core_Service = Authentication server

· To set initial username and password for ESA Web Console:ESA_CONFIG_WEB_CONSOLE_USER, ESA_CONFIG_WEB_CONSOLE_PASSWORD

· To set a custom RADIUS port or set the details of proxy server to be used, the following arguments are available.Set the corresponding values.ESA_CONFIG_RADIUS_PORTESA_CONFIG_PROXY_SERVER, ESA_CONFIG_PROXY_PORT, ESA_CONFIG_PROXY_USER,ESA_CONFIG_PROXY_PASSWORD

· To set a custom domain port (Active Directory Integration deployment type only) or a custom API port, thefollowing arguments are available. Set the corresponding values:ESA_CONFIG_CORE_PORT_DOMAINESA_CONFIG_CORE_PORT_API

· Useful MSIEXEC arguments./L*v "c:\esa_install_log.txt" - to create an installation log file named esa_install_log.txt in the Cdirectory/qn - silent installation mode, meaning, the installation is accomplished in the background without theinteraction of being logged in user.

· To install or remove ESA components without a Domain Admin user, use NO_DOMAIN_ADMIN_MODE=1.

· For complete removal of ESA Authentication Server, including configuration data stored in Active Directory, useAUTHENTICATION_SERVER_CLEAN_DATA=1.

3.7 Upgrade installation

In ESET Secure Authentication version 2.5.X and later, you can upgrade ESA by launching the installer. There is noneed to manually uninstall the previous version.

Upgrade Order

You must upgrade the Authentication Server first and then upgrade other components on computerssecured by ESA to maintain compatibility.

If you have multiple Authentication Servers (possible only in Active Directory environment), upgrade allof them. When upgrading one of them, the other ones must be stopped in order to maintain datacompatibility.

https://support.microsoft.com/en-us/kb/816102

https://support.microsoft.com/en-us/kb/816102

31

1. Review the license agreement and privacy policy, click I accept to continue.

Enter the desired username and password to be used to access ESA Web Console if prompted.

When all prerequisites are satisfied, click Next .

4. Complete the upgrade as prompted by the installer. Close the installer when you are finished.

When the upgrade is finished, a shortcut labeled as ESA Web Console will be automatically created on thedesktop of your Windows OS. Double click the shortcut to open the Web Console.

ESA Web Console certificate

ESA Web Console uses a self-signed certificate. Accessing the Web Console from a machine differentfrom the machine hosting the Authentication Server will result in a certificate issue message.

Accessing the Web Console via Mozilla Firefox from the machine hosting the Authentication Server willresult in a certificate issue message.

32

Use the login credentials configured during upgrade to enter the Web Console. In the Dasbhoard the Componentstile shows the number of outdated components, meaning, computers using a particular component of olderversion then the version of Authentication Server. Click the number in Out of date column to see relatedcomputers. Use the installer of same version as of Authentication Server to upgrade ESA Components (WindowsLogin, Remote Desktop Protection, IIS, ADFS, RADIUS) on related computers.

3.7.1 Compatibility

Version compatibility between ESA Core (Authentication Server) and other components (Windows Login, RemoteDesktop Protection, IIS, ADFS, RADIUS, ADUC) of ESET Secure Authentication has been improved. The tables belowshow which versions of ESA core, ESA Component and Management Console (MMC) are cross-compatible.

Compatibility table - component connecting to ESA Core

Component v2.4 Component v2.5 Component v2.6 Component v2.7

ESA core v2.4 OK FAIL FAIL FAIL

ESA core v2.5 OK OK FAIL FAIL

ESA core v2.6 OK OK OK OK


New registration of old component with a newer server does not work. Failedconnection due to compatibility issues is followed by a visual notification.

IIS component v2.6 or higher is essential to communicate with latest ESA core.

Compatibility table - management console (MMC) connecting to ESA Core

MMC v2.4 MMC v2.5 MMC v2.6 MMC v2.7

ESA core v2.4 OK FAIL FAIL FAIL

ESA core v2.5 OK OK FAIL FAIL



Failed connection due to compatibility issues is followed by a visual notification.

33

4. Using reverse proxyWhen using ESET Secure Authentication behind a reverse proxy server, consider the information below:

· In invitation details:

o Use the IP address of the proxy server instead of the name of Authentication Server

o Use the certificate hash of the proxy server certificate

· If Authentication Server is installed in Active Directory Integration mode:

o ESA components (for example, Windows Login, Remote Desktop Protection, RADIUS) have to be installed inStandalone mode

o In invitation use the IP address of the proxy server instead of the name of Authentication Server

o Cannot log in to the ESA Web Console using domain authentication

34

5. Getting started with ESET Secure Authentication Web ConsoleOnce all required ESA components have been installed, some basic configuration is necessary via the ESA WebConsole.

On your desktop, double-click the ESA Web Console shortcut.

ESA Web Console certificate

ESA Web Console uses a self-signed certificate. Accessing the Web Console from a machine differentfrom the machine hosting the Authentication Server will result in a certificate issue message.

Accessing the Web Console via Mozilla Firefox from the machine hosting the Authentication Server willresult in a certificate issue message.

To avoid a certificate issue message, add an exception.

Add Certificate exception

· Mozilla Firefox

1. Click Advanced, click Add Exception....

2. In the Add Security Exception window make sure the Permanently store this exception is selected.

3. click Confirm Security Exception.

· Google Chrome

1. Click Advanced.

2. Click Proceed to <web address of ESA Web Console> (unsafe).

3. At this point Google Chrome remembers the exception.

· Internet Explorer 11

1. Click Continue to this website (not recommended).

2. In the right section of address bar click Certificate error, then click View certificates, and then click InstallCertificate....

3. In Certificate Import Wizard window select Local Machine for Sore Location, click Next.

4. In the next screen select "Place all certificates in the following store", click Browse.

5. Selected Show physical stores checkbox, then select Trusted Root Certification Authorities, click OK.

6. Click Next, then Finish.

7. Restart the computer.

· Microsoft Edge

1. Try to access the Web Console in Internet Explorer 11 first, and carry out the steps on adding certificateexception described for Internet Explorer 11.

Log in to ESA Web Console

Log in using the access credentials you created for ESA Web Console during the Authentication Server install. In anActive Directory (AD) environment, if Active Directory Integration type of deployment has been used, log in clickingUse domain authentication in supported browsers.

35

Activate your installation of ESET Secure Authentication.

To configure 2FA for a supported Web Application, refer to the Web Application Protection section. For configuring2FA on your VPN, refer to the VPN Protection section. To configure 2FA for Remote Desktop, refer to the RemoteDesktop Protection section.

Provide feedback on ESET Secure Authentication via the Submit feedback section in ESA Web Console. That sectionappears only if your installation of ESET Secure Authentication has been activated.

You can provide feedback on ESET Secure Authentication via the Submit feedback section in ESAWeb Console. That section appears only if your installation of ESET Secure Authentication has beenactivated.

5.1 Activate ESET Secure Authentication

Activate your ESA system using an ESA license. This license can be obtained from your ESET distributor, or the demolicense (in License.txt) shipped with the installer can be used.

To activate your ESA Server:

1. Launch the ESA Web Console.

2. In the Dashboard click License, enter your username and password and then click Activate.

3. Once your license is active, configure your token name (name that will display in the Mobile Application onuser's phones) under Settings > Mobile application > Account name.

36

5.2 User Management - Provisioning

All user management is done via the Web Console in the Users section. All ESA users must have valid mobile phonenumbers. The phone number is either entered manually when creating/editing a user in the Web Console, orimported along with user details if synchronizing with LDAP.

Each user belongs to a realm (domain, computer name, etc.). Realms and users are created automatically when auser logs on a machine with an ESA component installed, or logs in to a service protected by ESA, or if ESA issynchronized with LDAP. You can create custom realms manually also.

The image below depicts 3 users added manually (customuser,customuser2,customuser3) to a custom realm(Custom Realm), and 4 users created automatically (admin,Test, admin,Test) along with their realm, which bears thename of computer where Windows Login plug-in of ESA is installed and all 4 users logged on. The status of a userreveals if the user has 2FA enabled (and used 2FA at least once) or not.

Create a custom realm manually

1. Click next to Realms, and click Create custom Realm.

2. Enter desired string for both Realm ID and Realm Name, select Category, click Save.

Add user to a realm manually

1. Select the realm you want to add a user to.

2. Click Add user...

3. Enter the name and phone number of the user.

4. Click Create user.

Phone number format

Mobile numbers must be in international format "+421987654321", where +421 is the country code. Forexample, a Slovak phone number 0978654321 would be entered as +421987654321 replacing the leadingzero "0" with the country code "+421".

You can import users to a custom realm from a file also.

37

Send mobile application to users

1. Select the checkbox of users you want to send the mobile application to.

2. Click Send application.

3. Close the confirmation window.

Enabling 2FA per user

Click a user, and turn on the desired options of authentication. OTP and Push authentication are the mostconvenient ones. If Hard Token OTPs have been enabled and imported, then Hard Tokens will be available in thelist-box under Hard Token toggle. Click Save to save the changes.

If Mobile Application OTP or Mobile Application Push has been turned on, a notification will show up to remind youto send the enrollment/provisioning message to the user to activate the mobile application.

If you click Do not send or Cancel, you can use the Actions button to send the enrollment/provisioning messagelater. If you click Send, an information window will show you a unique application URL that has been sent to theuser.

Enabling 2FA for multiple users in one go

1. Select the checkbox next to users you want to enable 2FA for.

2. Click 2FA, select Enable, select the desired authentication option.

3. Close the confirmation window.

38

Instructions on installing and using the mobile application (click the desired mobile OS to be redirected to thecorresponding article):

· Android

· iPhone

· Windows Phone

http://support.eset.com/kb3297/?viewlocale=en-US



39

5.2.1 User Status

A user may be in various statuses during regular operation. Before enabling a user for 2FA, or uninitialized status,the Status column in the Users screen is empty.

· Waiting to send: 2FA is enabled but the mobile application has not yet been sent to the user.

· Waiting to use: Mobile application has been sent to the user but not used yet.

40

· 2FA enabled : User used the second factor to access a computer or service protected by ESA. This state applies alsoif only SMS-based OTPs and/or Hard Tokens are enabled for the user, though the user has not yet authenticated.

A user may then be enabled for either SMS-based OTPs, Mobile Application OTPs, Mobile Application Push or all. Ifthey are enabled for all, they are in what is known as the transitioning state. This type of status is visible only in theusers's profile.

In this state, a user will receive SMS-based OTPs when authentication attempts are initiated, but as soon as a validmobile OTP is used for authentication or a Push notification (authentication request) is approved, SMS-based OTPswill be disabled, and the user will only be able to authenticate using mobile OTPs or Push notifications. When a userhas successfully authenticated using a mobile app OTP, a green flag is displayed in user details.

When authenticating OTPs, a user has 10 opportunities to enter an incorrect OTP. On the 11th failed OTP, a user's2FA gets locked. This is to prevent brute force guessing of OTPs. When a user's 2FA is locked, his name is highlightedred in the Users screen, status changes to 2FA locked, and a red flag along with additional details is displayed in hisprofile:

41

If it has been confirmed that the user's identity is not under attack, click Actions, then Unlock to unlock the user's2FA.

If Hard Token OTPs have been enabled and imported, there are then more states in which the user may potentiallyfind him or herself.

The user may be in a Hard Token OTP only state, or may be enabled for any combination of the three OTP types, orthe user may be in a transitioning state where all three OTP types are enabled. In this state, a user will receive SMSOTPs when authentication attempts are initiated, but as soon as a valid mobile OTP is used for authentication, SMSOTPs will be disabled, and the user will only be able to authenticate using mobile or Hard Token OTPs.

The user can also be in the state where both SMS and Hard Token OTPs are allowed.

5.2.2 Synchronizing with LDAP

ESET Secure Authentication supports synchronization with LDAP.

1. Access ESA Web Console and click Users.

2. Next to Realms, click , select Create Synchronized Realm.

3. Enter the address of your LDAP server, select the applicable LDAP server type from the Sync Server type drop-down menu, and enter your LDAP username and password.

4. If this a one time import, leave the Sync interval intact. Otherwise, select the applicable synchronizationinterval.

5. Select the check box next to Run immediately and click Save.

42

Once your ESA instance is synchronized with LDAP, to synchronize it again manually:

1. In the Realms section, select the saved and synchronized LDAP server.

2. Click the gear icon and then click Synchronize Now.

Supported configuration parameters

· objFilter - Required; used as a filter for selecting the user object in LDAP.

· AttrName - Optional; name of LDAP user property storing the user name. If Windows LDAP is selected for SyncServer Type, the username is read from "sAMAccountName" property. Otherwise, the username is read from"cn" property.

· AttrPhone - Optional; name of LDAP user property holding the phone number. If the AttrPhone parameter isnot used, the mobile number is taken from the user field that is set as default in ESA Web Console > Settings >Mobile Number Field.

· AuthType - Optional; defines the type of authentication used when connecting to LDAP server. Default value forthe Windows platform is 1 (Secure), for the other platform 0 (None). Available values:

o 0 (None)

o 1 (Secure)

o 2 (Encryption/SecureSocketsLayer)

o 4 (ReadonlyServer)

o 16 (Anonymous)

o 32 (FastBind)

o 64 (Signing)

o 128 (Sealing)

43

o 256 (Delegation)

o 512 (ServerBind)

For more information on each authentication type see the official Microsoft documentation.

5.2.3 Import users from file

ESET Secure Authentication 2.7 and later allows to import users to custom realms from a CSV or LDF file. The file hasto contain the name of the user at least.

To import users to a custom realm, follow the steps below:

1. Select a custom realm.

2. Click the gear icon , select Import Users and then select file type.

3. Browse for the file, click Open.

4. In the import dialog, adjust settings if necessary based on the format of your CSV file.

5. Click Import.

To import users from an Active Directory environment to a Standalone installation of ESET Secure Authentication,export the appropriate CSV or LDF file using the command line on your Domain Controller (main computer).

Export Active Directory users to a file

· Export to CSV file:

https://msdn.microsoft.com/en-us/library/system.directoryservices.authenticationtypes(v=vs.110).aspx?cs-save-lang=1&cs-lang=csharp#code-snippet-1

44

csvde -f output.csv -r "(objectclass=user)" -l "dn,c,l,st,postalCode,mobile,telephoneNumber,displayName,co"

· Export to LDF file:

ldifde -f export.ldf -s mydomain.com -r "(objectclass=user)" -l "cn, memberOf, distinguishedName, mobile, pager, facsimileTelephoneNumber"

5.3 Invitations

ESET Secure Authentication 2.7 introduces invitations to be able to deploy 2FA protection of ESA in adomain/network environment not established by Active Directory Domain Services. An invitation containsconnection information of Authentication Server, certificate thumbprint and expiration, and a unique code basedon which invitation is identified. Each invitation is limited by time and usage count.

If you use ESET Secure Authentication in a domain established by Active Directory Domain Services, and you want todeploy 2FA on computers outside that domain, invitations make it possible.

Generate an invitation

1. In the ESA Web Console, click Components > Invitations.

2. Click Create invitation....

3. Enter an invitation name, expiration time and usage count. Click Create.

The invitation details displays. To save the details to a text file or to copy elsewhere, click Copy data to clipboard.

45

Click Close, and the list of invitations will display.

Click the name of an invitation to open the invitation details again. Click Server info to view the connectioninformation of Authentication Server, certificate thumbprint and expiration.

5.4 Use domain authentication

In an Active Directory (AD) environment, if Active Directory Integration type of deployment is used, you can log in toESA Web Console clicking Use domain authentication in supported browsers. This kind of authentication works ifyou log on to the machine hosting the Authentication Server with a user who belongs to the same Active Directorydomain, and also belongs to the group of domain administrators.

If domain authentication does not work out of the box, attempt to troubleshoot with the steps below:

· Internet Explorer 11

1. Click Tools, select Internet options.

2. Select the Security tab.

3. Click Trusted Sites.

4. Click Custom level... .

5. Scroll down to User Authentication, select "Automatic logon with current user name and password".

6. Click OK on both open configuration windows.

· Microsoft Edge, Google Chrome

1. Complete the steps listed for Internet Explorer, and the domain authentication regarding ESA Web Consolewill work in both Microsoft Edge and Google Chrome.

· Mozilla Firefox

1. Type about:config in the address bar.

2. Click the I accept the risk! button.

3. Type network.negotiate-auth.trusted-uris into Search bar.

4. Double click the found result.

5. Enter the domain name of ESA Web Console without protocol (https://), without port number and trailingslash.

https://)

46

6. Press Enter key.

47

6. Authentication optionsESET Secure Authentication provides several options to allow users to be authenticated for access to certaincomputers or services protected by two-factor authentication.

· OTP (one time password) recieved via sms

· OTP generated via ESA mobile application

· Push Authentication

· Hard tokens

· OTP received via custom delivery option

Reliability of SMS delivery

Due to technical nature of SMS messages, which are typically handled by local operators oftelecommunication services, reliability of SMS delivery to end user mobile phone cannot beguaranteed by ESET.

6.1 Mobile Application

The mobile application of ESET Secure Authentication makes it easy to generate OTPs or approve pushauthentication requests to access computers, services protected by 2FA. The mobile application version 2.40+supports authentication of multiple users, meaning, if you use several user accounts in a domain/network protectedwith 2FA, the authentication tokens of all your user accounts may be stored in your one mobile application.

Instructions on installing and using the mobile application (click the desired mobile OS to be redirected to thecorresponding article):

· Android

· iPhone

· Windows Phone

Note that in case of PIN-protected Mobile Application the message of Approve on phone is displayed on Androidwatch when a push notification is generated.

PIN-protected Mobile Application

If the Mobile Application has PIN protection enabled, it will allow a user to log in using an incorrectPIN code to protect the correct PIN code from brute-force attacks. For example, if an attackerattempts to log into the Mobile Application using an incorrect PIN code, they might be grantedaccess, but no OTP will work. After entering several wrong OTPs, the 2FA of the user account (whichthe Mobile Application belongs to) will be automatically locked. This represents a minor issue for ageneral user: If the user happens to log into the Mobile Application using an incorrect PIN code,then changes the PIN code to a new one, all the tokens included in the Mobile Application willbecome unusable. There is no way to repair such tokens—the only solution is to re-provision tokensto the Mobile Application. Therefore, we advise users to try an OTP before changing their PIN code—if the OTP works, it is safe to change the PIN code.

OTPs and Whitespace




48

OTPs are displayed in the mobile application with a space between the 3rd and 4th digits in order toimprove readability. All authentication methods except MS-CHAPv2 strip whitespace from theprovided credentials, so a user may include or exclude whitespace without affecting authentication.

6.2 Push Authentication

The Push authentication method, which uses push notifications on mobile devices, was introduced in ESET SecureAuthentication (ESA) version 2.5.X, and was available only for Android devices. ESA 2.6.X extended Pushauthentication to iOS devices also, and ESA 2.7 extends it to Windows phone as well.

Both OTP and Push authentication can be enabled per user or for multiple users in one go in Users section of ESAWeb Console.

To enable push notifications on iOS devices, when prompted, tap Allow. On Android devices, notifications areenabled automatically.

It may take some time for the push notifications to start working after the user's phone has beenprovisioned, or push notifications have been turned on in ESA Web Console.

49

Users can approve or reject the authentication request directly from the notification area of their mobile device.

Android; iOS

Tap the notification somewhere off the Approve and Reject buttons to open the Mobile application where you canapprove or reject the authentication request.

ESA Mobile App

You can also manage Push authentication requests on smart watches running Android OS or iOS.

Each push notification contains an ID which matches the ID of the authentication request screen.

50

Android smart watch

When an ESET notification displays on an Android smart watch, slide the screen right or left to see available options:

Approve the authentication request; Reject the authentication request

Open authentication request in mobile app; Disable notification on smartwach

If a PIN-protected Mobile Application is in use, 'Approve on phone' is displayed.

51

Apple watch

When an ESET notification displays on an Apple watch, scroll down to Approve or Reject.

Notification arrived; Scroll down to action buttons

If a PIN-protected Mobile Application is in use, only the Reject option is available.

52

6.3 Custom delivery options

The default delivery options of OTP (sms, mobile app) work perfect for most users, ESA can accommodate customdelivery options as well.

Standalone deployment type

In ESA Web Console navigate to Settings , and click Delivery Options.

Here you can specify the path to your custom script by which you wish to handle provisioning or delivery of OTP.Click Insert attribute to view a list of parameters you can use to be passed to your custom script. For example, inorder to deliver the OTP you must use the [OTP] parameter. You can also specify a custom string to be passed toyour script (see parameter1 in the screenshot above).

Active Directory Integration deployment type

Open the ESA Management Console on your main computer, navigate to your domain node (in our exampleacswin2012.com), click Advanced Settings and then click Delivery Options.

53

Here you can specify the path to your custom script (or look up the custom script by clicking the button) by which

you wish to handle provisioning or delivery of OTP. Click to view a list of parameters you can use to be passed toyour custom script. For example, in order to deliver the OTP you must use the [OTP] parameter. You can also specifya custom string to be passed to your script (see parameter1 in the screenshot above).

Sample scenario available in Active Directory Integration deployment type - Delivering OTP via e-mail

Prerequisite:

· Know the SMTP details of the email gateway we wish to use for sending the email message containing the OTP

· Have a custom script for sending email messages

· Have a custom .bat script we define the path to it in ESA Management Console as shown in the screenshot above,while this .bat script is going to call our custom script that is supposed to send the email message

· Every 2FA-enabled user that receives OTP passwords via e-mail must have their e-mail address defined in the E-mail field of the General tab when viewing their details through the Active Directory Users and Computersmanagement interface.

It is not necessary to make any change in the Default Mobile Number Field section to make theemail delivery option work.

Sample python script for sending email - we name the file as sendmail.py

import sys, smtplib

54

server = smtplib.SMTP('smtpserver:port')

server.starttls()

server.login('username','password')

server.sendmail(sys.argv[1] , sys.argv[1], 'Subject: OTP is '+sys.argv[2])

server.quit()

In the sample python script above the smtpserver:port, username and password aresupposed to be replaced with the corresponding SMTP details.

Sample .bat script for calling the sendmail.py script while passing the essential parameters to it - we name the fileas CustomMail.bat:

c:\Python\python.exe c:\work\sendmail.py %1 %2

This sample scenario assumes the python library is installed in your main computer where the ESAAuthentication Server component is installed and you know the path to the python.exe file.

55

In the Sending OTP by field we define the path leading to our CustomMail.bat script, select the essentialparameters such as [E-mail-Addresses] and [OTP] and then click Save

Provisioning (delivery of the mobile application) can be customized the same way using the essential parameters[PHONE] and [URL].

Compared to SMS delivery (or usage of provisioned mobile application), the use of email as themeans of OTP distribution is slightly less secure because the email message can be read on anydevice the user possesses. This method does not confirm that the intended recipient is inpossession of the registered phone (phone number).

56

6.4 Hard Tokens

A hard token is a device that generates an OTP and can be used in conjunction with a password as an electronic keyto access something. Hard tokens come in many different device types, it could be a key fob which can be clippedonto a keyring or in a credit card form which can be stored in a wallet.

ESA supports all OATH compliant HOTP hard tokens but ESET does not supply them. The hard token HOTPs can beused in the same way as the OTPs generated by the mobile app or sent to the user via SMS. Scenarios where thismay be useful is to support legacy token migration, for compliance or if it fits with the company policy. Note thatOATH TOTPs (time-based OTPs) are not supported.

To use and manage hard tokens, see instructions below.

Enable and Import Hard Tokens

1. In the ESA Web Console, click Hard Tokens.

2. Select the Enabled checkbox.

3. Click the Import Hard Tokens... button.

4. Select the file to import. This should be an XML file in the PSKC format. If such a file was not received from thehard token vendor, contact the vendor. If the XML file is password protected or protected by an encryption key,type the password or encryption key (HEX or base64 format) to the Password field in Import Hard Tokenswindow.

5. Click the Import tokens button.

6. A result notification will pop up indicating how many hard tokens were imported and the imported hard tokenswill be displayed.

Assign Hard Token to a user

1. In the ESA Web Console, click Users.

2. Click the name of the appropriate user.

3. Click the toggle next to Hard Token and select a hard token from the list.

4. Click Save.

57

Revoke Hard Tokens

Revoking a hard token for a user will also disable that user for hard token authentication.


2. Select the appropriate tokens and click Revoke.

Resynchronize a Hard Token

There is a possibility that a hard token becomes out of sync with the system. This can happen if a user generatesmany new OTPs in a short span of time. In this scenario, a resynchronization will be required.

A token can be resynchronized as follows:


2. In the appropriate row, click , and select Resynchronize Hard Token.

Generate and enter two consecutive OTPs using the selected hard token.

58

3. Click the Resynchronize button.

4. A successful message will display.

Delete Hard Tokens


2. Select the appropriate tokens and click Delete.

59

7. Windows Login ProtectionESA features local login protection for Windows in a domain or LAN environment. To utilize this feature, theWindows Login component must be included during installation of ESA. Once installation is finished, access ESAWeb Console, navigate to Components, click Windows Login. The list of computers where the Windows Logincomponent of ESA is installed will display. From this screen you can enable/disable 2FA protection per computer.

If you have a long list of computers, use the Filter field to search for a specific computer by typing its name.

If the Windows Login component of ESA version 2.6 or later is uninstalled from a particular computer, the computerwill be removed from the Computer List of ESA Web Console automatically. A computer entry can be deleted

manually also from the Web Console. Select a computer entry and click Delete, or hover a computer, click andselect Delete. Click Delete in the confirmation window also. If a computer entry is removed from the Computer Listbut the Windows Login component is not removed from the particular computer, the computer will show up againin the Web Console with default settings.

Click Settings tab to see available settings.

From this screen you can see various options to apply 2FA, including the option to apply 2FA protection for SafeMode, Windows lock screen and User Account Control (UAC).

60

If the machine where the Windows Login component of ESA is installed, must be offline part of the time and youhave users who have SMS authentication enabled, you can enable Allow access without 2FA for users with SMS-based OTP or Mobile Push authentication only.

If a user using SMS delivery for OTP wants to have an OTP re-sent, they can close the window requiring OTP andafter 30 seconds enter their username and password again to receive a new OTP.

2FA protection cannot be bypassed by any attacker even if the attacker knew the username and password, thusproviding better protection of sensitive data. Of course, we assume the hard drive is not accessible by the attackeror the content of the drive is encrypted.

We recommend to combine 2FA protection with whole disk encryption to mitigate the breach risk if an attacker hasphysical access to the disk.

2FA enabled for offline mode

If 2FA protection is enabled for offline mode, all users whose accounts are secured by 2FA and whowant to use a 2FA-protected PC must log in to that PC for the very first time while the PC is online.By 'online' we mean that the main computer where Authentication Server of ESA is installed and theESET Secure Authentication Service service is running and can be pinged from the 2FA-securedcomputer.

If the Windows Login component is installed on the same computer where Authentication Server isinstalled and 2FA protection for Safe Mode is enabled on that computer while offline mode isdisabled (Do not allow access is selected in Offline behavior section), then the user will be allowedto log in to Safe Mode (without networking) without OTP.

The offline mode allows to log in 20 times using valid OTP each time. If the limit is exceeded, the machine needs tobe online when trying to log in. Whenever the machine is online while trying to log in, the limit counter is reset.

To allow specific users to log on to certain computer(s) only in an Active Directory environment, configure a "Denylog on locally" policy.

Windows 10 login secured by ESA in - after entering a valid username and password, users will be prompted toapprove login on their Android/iOS mobile device or Android/Apple watch, or to enter an OTP :

https://technet.microsoft.com/en-us/library/dn221948(v=ws.11).aspx

https://technet.microsoft.com/en-us/library/dn221948(v=ws.11).aspx

61

7.1 Master recovery key

A master recovery key (MRK) is an alternative OTP that can be used to log in to a Windows machine protected by 2FAin situations where the user can not enter a valid OTP,or cannot authenticate by approving a push notification. Forexample, the user lost his phone where the ESA Mobile Application was installed. An MRK is unique to a user andcomputer, meaning, User1 and User2 would have a different MRK for PC1. Access via MRK is available even in onlineand offline mode. Offline use of MRK is available only if the offline mode for given computer is enabled in ESA WebConsole in the section of Windows Login Settings. If offline mode is enabled, MRK is also stored locally on thecomputer in the encrypted and protected cache.

You can use MRK version 2.6 and later for other protection modules of ESA.

To use MRK for authentication:

1. Users cannot obtain an OTP, so they need to call the administrator.

2. The administrator opens ESA Web Console, navigates to Users > clicks the name of the particular user > clicksActions > selects Show MRK > selects the particular protection module from the Choose component list-box,then selects the particular computer from the Choose computer list-box and clicks Show MRK. At this point aMRK is generated.

62

The administrator provides the obtained MRK to the user and the user can log in entering the MRK instead of OTP.

While the computer is in offline mode, an MRK may be used to log in to the particular Windows machine multipletimes.

After first successful connection to ESA Authentication Server the previously generated MRK is invalidated and cannot be used anymore, even if it was not used at all.

MRK generated for other protection modules of ESA are valid at most for 1 hour or until regenerated.

MRK for ESA Web Console administrator

In a case where the administrator of the ESA Web Console is unable to authenticate (for example, reinstalled ESAMobile Application, lost PIN code, lost phone where the ESA Mobile Application was installed), reset ESA WebConsole credentials:

1. Run the installer of ESET Secure Authentication again.

2. Click Change.

3. To replace the old account with a new one, enter the original administrator username and a new password whenprompted. To create a different account, enter a new username and password.

4. Close the installer when complete.

63

8. VPN ProtectionESA ships with a standalone RADIUS server that is used to authenticate VPN connections. After installing the ESARADIUS server component, the service will start automatically. Ensure that it is running by checking its status in theWindows Services console.

Though it is used in most configurations, ESA RADIUS does not necessarily need to be used to allow for VPNprotection alone. For more information see RADIUS PAM modules on Linux/Mac.

8.1 Configuration

To configure 2FA for your VPN, you must first add your VPN appliance as a RADIUS client. To do so, follow the stepsshown below:

1. In the ESA Web Console, navigate to Components > RADIUS, select a RADIUS server, click Create new RADIUSclient.

2. Give the RADIUS client a memorable name for easy reference.

3. Configure the IP Address and Shared Secret for the Client so that they correspond to the configuration of yourVPN appliance. The IP address is the internal IP address of your appliance. The shared secret is the RADIUSshared secret for the external authenticator that you will configure on your appliance.

4. Select "Mobile Application" as an authentication method. The optimal authentication method depends on yourVPN appliance make and model. See the appropriate ESA VPN Integration Guide for details. VPN integrationguides are available on the ESET Knowledgebase.

5. Optionally, you can allow any non-2FA users to use the VPN.

Allowing non-2FA users to log in to the VPN without restricting access to a security group will allowall users in the domain to login via the VPN. Using such a configuration is not recommended.

6. Optionally restrict VPN access to an existing AD security group.

7. Select "Current AD domain" or "Current AD domain and domains in trust" from the Realm selection box to havethe realm (domain) of the user automatically registered when the user authenticates for the first time via VPNand 2FA. Alternatively, select a specific realm from the selection box to have all users registered to the samerealm..

8. Once you are finished making changes, click Save.

9. Re-start the RADIUS server.

a. Locate the ESA RADIUS Service in the Windows Services (under Control Panel - Administrative Tools -View Local Services).

b. Right-click the ESA Radius Service and select Restart from the context menu.

http://support.eset.com/kb3403/

http://support.eset.com/kb3403/

64

If Mobile Application Push authentication method is enabled, set the authentication expiration timeof your VPN server to more than 2.5 minutes.

The following VPN Type options are available:

· VPN does not validate AD user name and password

· VPN validates AD user name and password

· Use Access-Challenge feature of RADIUS

The following RADIUS clients support the RADIUS Access-Challenge feature:

§ Junos Pulse (VPN)

§ Linux PAM module

The following RADIUS clients should not be used with the Access-Challenge feature:

§ Microsoft RRAS

65

If your VPN client requires the Filter-Id attribute to be sent by ESA RADIUS, configure it in C:\Program Files\ESETSecure Authentication\EIP.Radius.WindowsService.exe.config by adding a code snippet similar to following:

<appSettings> <add key="RadiusFilterIdValue" value="any_value_expected_by_your_VPN_server" /></appSettings>

If the <appSettings> tag is already present, do not duplicate it, just add the <add key.... > code below it.

8.2 Usage

Once you have configured your RADIUS client, it is recommended that you verify RADIUS connectivity using a testingutility such as NTRadPing before reconfiguring your VPN appliance. After verifying RADIUS connectivity, you mayconfigure your appliance to use the ESA RADIUS server as an external authenticator for your VPN users.

Since both the optimal authentication method and usage are dependent on your appliance make and model, seethe relevant ESET Secure Authentication VPN integration guide, available on the ESET Knowledgebase.

8.3 VPN Authentication Options

This section reviews available configuration options for a RADIUS client using either the ESA Web Console, or ESAManagement Console in an AD environment.

8.3.1 SMS-based OTPs

This scenario occurs if the user is configured to use only SMS-Based OTPs and the RADIUS client is configured to useSMS-based OTP authentication.

In this configuration, a user logs in with their Active Directory password. The first authentication attempt by the VPNclient will fail to authenticate and the user will be prompted to enter their password again. At the same time, theuser will receive an SMS with their OTP. The user then logs in with the OTP contained in the SMS. The secondauthentication attempt will grant access if the OTP is correct.

This sequence is depicted in figure: RADIUS SMS OTP Authentication.

Supported authentication protocols: PAP, MSCHAPv2.

RADIUS SMS OTP Authentication

66

8.3.2 On-demand SMS-based OTPs

ESET Secure Authentication supports "On-demand SMS OTPs" for certain systems that support primaryauthentication against Active Directory and secondary authentication against a RADIUS server. In this scenario, usersthat have already been authenticated against Active Directory have to type the letters "sms" in the ESA OTP field toreceive a One Time Password via SMS.

This feature should only be used when instructed to do so by an official ESET Secure AuthenticationIntegration Guide, as it may allow users to authenticate with only an OTP if used incorrectly.

8.3.3 Mobile Application

This scenario occurs if the user is configured to use only the OTP and/or Push and the RADIUS client is configured touse Mobile Application OTPs and/or Mobile Application Push authentication.

The user logs in with an OTP generated by the Mobile Application or by approval of push notification generated ontheir Android/iOS mobile device or Android/Apple watch. Note that PIN enforcement is strongly recommended inthis configuration to provide a second authentication factor.

PIN-protected Mobile Application

If the Mobile Application has PIN protection enabled, it will allow a user to log in using an incorrectPIN code to protect the correct PIN code from brute-force attacks. For example, if an attackerattempts to log into the Mobile Application using an incorrect PIN code, they might be grantedaccess, but no OTP will work. After entering several wrong OTPs, the 2FA of the user account (whichthe Mobile Application belongs to) will be automatically locked. This represents a minor issue for ageneral user: If the user happens to log into the Mobile Application using an incorrect PIN code,then changes the PIN code to a new one, all the tokens included in the Mobile Application willbecome unusable. There is no way to repair such tokens—the only solution is to re-provision tokensto the Mobile Application. Therefore, we advise users to try an OTP before changing their PIN code—if the OTP works, it is safe to change the PIN code.

Supported PPTP Protocols: PAP, MSCHAPv2.

Compound Authentication Enforced

This scenario occurs if the RADIUS client is configured to use Compound Authentication. This authentication methodis restricted to users who are configured to use the Mobile Application OTPs.

In this scenario, a user logs into the VPN by entering their Active Directory (AD) password, in addition to an OTPgenerated by the Mobile Application. For example, given an AD password of 'password' and an OTP of '123456', theuser enters 'password123456' into the password field of their VPN client.

OTPs and Whitespace

OTPs are displayed in the mobile application with a space between the 3rd and 4th digits in order toimprove readability. All authentication methods except MS-CHAPv2 strip whitespace from theprovided credentials, so a user may include or exclude whitespace without affecting authentication.

67

8.3.4 Hard Tokens

This scenario occurs if both the user and the RADIUS client are configured to use Hard Token OTPs.

Based on the configuration of your VPN client, you can either use a single Hard Token authentication or compoundHard Token authentication.

When using compound Hard Token authentication, a user logs into the VPN by entering their Active Directory (AD)password, in addition to an OTP generated by their Hard Token. For example, given an AD password of 'password'and an OTP of '123456', the user enters 'password123456' in the password field of their VPN client.

Supported authentication protocols: PAP.

8.3.5 Migration from SMS-Based OTPs to Mobile Application

This scenario occurs if the user is configured to use both SMS-based OTPs and the Mobile Application, and theRADIUS client is configured to use OTP authentication.

In this configuration, the user may use either the SMS-based OTP or Mobile Application OTP scenarios (as describedabove) to log in.

If the user logs in with an OTP generated with their Mobile Application, SMS OTP authentication will automaticallybe disabled. On subsequent attempts, SMS based OTPs will not be accepted as log-in credentials.


8.3.6 Non-2FA Pass-through

This scenario occurs if the user is not configured for SMS-, Mobile Application- or Hard Token-based OTPs, and theRADIUS client configuration option to allow Active Directory passwords without OTPs is selected.

In this configuration, the user logs in with their Active Directory password.


About upgrading

For Microsoft Routing & Remote Access Server (RRAS) PPTP VPNs, encryption of the VPN connectionis not performed when the PAP authentication protocol is used, and is therefore not recommended.Most other VPN providers encrypt the connection regardless of the authentication protocol in use.

8.3.7 Access Control Using Group Membership

ESA supports the ability to only allow members of a specific AD security group to log in to the VPN using 2FA. This isconfigured on a per RADIUS client basis under the Access Control heading.

8.4 ESA Authentication Methods and PPP Compatibility

The VPN server must be configured to allow all protocols a clients might want to use. End-user VPN clients onlyneed to be configured for a single protocol.

Whenever more than one protocol is supported, VPN clients should be configured to use MS-CHAPv2 with 128-bitMPPE. This means that PAP is only recommended for Compound Authentication.

Authentication Method PAP MS-CHAPv2

SMS-Based OTPs Supported Supported

On-demand SMS-Based OTPs Supported Supported

68

Mobile-Application (OTP or Push) Supported Supported

Mobile Application (CompoundAuthentication)

Supported Not supported

Hard Token OTPs Supported Supported

Hard Token (Compound Authentication) Supported Not supported

Active Directory passwords without OTPs Supported Supported

69

9. RADIUS PAM modules on Linux/MacLinux/Mac machines can use ESA for 2FA by implementing a Pluggable Authentication Module (PAM), which willserve as a RADIUS client communicating with the ESA RADIUS server.

In general, any service using RADIUS can be configured to use the ESA RADIUS server.

PAM is a set of C dynamic libraries (.so) used for adding custom layers to the authentication process. They mayperform additional checks and subsequently allow/deny access. In this case, we use a PAM module to ask the userfor an OTP on a Linux or Mac computer joined to an Active Directory domain and verify it against an ESA RADIUSserver.

The PAM Authentication and Accounting module by FreeRADIUS is used in this guide. Other RADIUS PAM clients canbe used as well.

Basic configuration described here will use the Access-Challenge feature of RADIUS that is supported by both ESARADIUS server and the used RADIUS PAM client. There are other options that do not use the Access-Challengemethod briefly described in Other RADIUS configurations section of this manual.

First, configure the Linux/Mac RADIUS client in ESA Management Console. Type the IP address ofyour Linux/Mac computer in the IP Address field. Select Use Access-Challenge feature of RADIUSfrom the VPN Type drop-down menu.

Once you complete these steps, configure your Linux or Mac computer based on the instructions in the followingsub-chapters.

9.1 Mac OS - configuration

The steps below were performed on OS X - Yosemite 10.10.5.

Non-2FA users

If you enable 2FA protection using the instructions in this guide, then by default local users who donot belong to your AD domain will not be able to log in. To allow local users to log in even if 2FAprotection is enabled, please follow the additional steps described in the topic of Other RADIUSconfigurations - see Non-2FA users (user accounts not using 2FA).

To deploy 2FA protection on your Mac computer, make sure your computer is joined to the Active Directory domain.You can configure it under System Preferences... > Users & Groups > Login Options. Click Join... next to NetworkAccount Server by entering your Active Directory credentials.

PAM Authentication Module

1. Download PAM RADIUS tar.gz from http://freeradius.org/pam_radius_auth/

2. Build the .so library by executing the following commands in a terminal window:

./configuremake

3. Copy the built library to the PAM modules

cp pam_radius_auth.so /usr/lib/pam

On OS X El Capitan and later, this location is protected by System Integrity Protection. To use it, you have to disableit for the copy command.

http://freeradius.org/pam_radius_auth/


https://developer.apple.com/library/mac/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html

https://developer.apple.com/library/mac/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html

70

4. Create a server configuration file named server at /etc/raddb/. In it, enter the details of the RADIUS server in thefollowing form:<radius server>:<port> <shared secret> <timeout in seconds>

For example:1.1.1.1 test 30

See INSTALL for security recommendations for the configuration file and USAGE for parameters that can be passedto the library. For example you can use the 'debug' parameter to identify potential problems.

Incorporating the PAM module

PAM modules may be incorporated into various login types, for example, login, sshd, su, sudo and so on. The list oflogin types available is located at /etc/pam.d/ .

Modify the appropriate file in /etc/pam.d/ to incorporate the RADIUS PAM module to specific login types.

Incorporating the PAM module into SSH

To incorporate the PAM module into SSH, edit /etc/pam.d/sshd and add the following line at the end of the file:

auth required /usr/lib/pam/pam_radius_auth.so

Next, enable SSH in OS X. Under System Preferences... > Sharing, enable Remote Login.

Below is an example of SSH login via ESA (PAM module incorporated in /etc/pam.d/sshd):

Below is an example of sudo login via ESA (PAM module incorporated in /etc/pam.d/sudo):

Incorporating the PAM module into Desktop Logins

For Desktop login, we cannot use RADIUS Accept-Challenge like the VPN Type when configuring the RADIUS client inthe ESA Management Tool. The RADIUS client configuration should be as shown in the VPN Type - VPN does notvalidate AD username and password section of the Other RADIUS configurations topic and the PAM module wouldbe incorporated in the /etc/pam.d/authorization file.

http://freeradius.org/pam_radius_auth/INSTALL

http://freeradius.org/pam_radius_auth/USAGE

71

Using these settings:

· OTP is delivered via SMS - at the first password prompt a user must enter their AD password. At the secondpassword prompt, they must enter their OTP.

· Other type of OTP (compound authentication) - enter both the AD password and OTP at once as ADpasswordOTP.For example if your AD password is Test and the received OTP is 123456, you would enter Test123456.

72

9.2 Linux - configuration

The steps described here were accomplished on OpenSUSE Leap 42.1.

Non-2FA users

If you enable 2FA protection using the instructions in this guide, then by default local users who donot belong to your AD domain will not be able to log in. To allow local users to log in even if 2FAprotection is enabled, please follow the additional steps described in the topic of Other RADIUSconfigurations - see Non-2FA users (user accounts not using 2FA).

Make sure your Linux computer is joined to the Active Directory domain. Navigate to YaST > Hardware > NetworkSettings > Hostname/DNS and enter the IP address of the Domain Controller (DC) machine and the Active Directorydomain name. Next, navigate to YaST > Network Services > Windows Domain Membership. Enter the AD domainname you want your Linux computer to join in the Domain or Workgroup field and click OK. You will be prompted toenter the domain administrator's username and password.

The process of joining a domain will differ across Linux distributions.

PAM Authentication Module

1. Download PAM RADIUS tar.gz from http://freeradius.org/pam_radius_auth/

2. Build the .so library by executing the following commands in a terminal window:

./configuremake

Depending on the output of the configure command, dependencies might have to be installed.

sudo zypper install gcc make pam-devel

3. Copy the built library to the PAM modules

sudo cp pam_radius_auth.so /lib/security/

4. Create a server configuration file at /etc/raddb/ named server. In that file, enter the details of the RADIUS serverin the following form:<radius server>:<port> <shared secret> <timeout in seconds>

For example:1.1.1.1 test 30

See INSTALL for security recommendations for the configuration file and USAGE for parameters that can be passedto the library. For example you can use the 'debug' parameter to identify potential problems.

Incorporating the PAM module


http://freeradius.org/pam_radius_auth/INSTALL

http://freeradius.org/pam_radius_auth/USAGE

73

PAM modules may vary across Linux distributions. The incorporation scenarios also depend on the Desktopenvironment used on the particular Linux machine. In this example, Xfce was used on an OpenSUSE machine,therefore the PAM module was incorporated into /etc/pam.d/xdm (see examples below). It is possible that somemodules may not prompt for a second factor as shown in the example below.

Incorporation of the PAM module into SSH in Linux is done similarly to the the way it is done in Mac OS - seeIncorporating the PAM module into SSH in the Mac OS - configuration topic. However, the line of code to be addedto the /etc/pam.d/sshd file is different:

auth required /lib/security/pam_radius_auth.so

Incorporating the PAM module into console login

In order to incorporate the PAM module into console login, edit /etc/pam.d/login and add the following line at theend of the file::


Below is an example of console login while secured via ESA :

Incorporating the PAM module into Xfce desktop login

To incorporate the PAM module into Xfce desktop login, we have to edit /etc/pam.d/xdm and add the following

line at the end of the file:


Below is an example of Xfce desktop login while secured via ESA:

75

9.3 Other RADIUS configurations

VPN Type - VPN does not validate AD username and password

If you set VPN Type to VPN does not validate AD username and password when configuring a RADIUS client in ESAManagement Tool, both factors (AD username and password as first factor, and OTP as second factor) are verified byESA:

Afterward, in /etc/pam.d/sshd (or other integration), add the following line:

auth required /usr/lib/pam/pam_radius_auth.so

and comment (place a # tag at the beginning) all the other auth lines.

The domain administrator must verify whether this scenario- specifically disabling all other modules- is suitable for their deployment.

76

In this case a SSH login process would look like this:

· SMS delivery of OTP - at the first password attempt, the user is prompted for an AD password. At the secondpassword attempt, they enter their OTP.

· Other type of OTP (compound authentication) - the user must enter both the AD password and OTP at the sametime as ADpasswordOTP. For example if your AD password is Test and the received OTP is 123456, you would

enter Test123456.

VPN Type - VPN validates AD username and password

if you set VPN Type to VPN validates AD username and password when configuring a RADIUS client in ESAManagement Tool, then the first factor (AD username and password) is validated by the other PAM module:

77

When configuring RADIUS in this manner, add the following line in /etc/pam.d/sshd (or the appropriateintegration):

auth required /usr/lib/pam/pam_radius_auth.so force_prompt prompt=RADIUS

In this case a SSH login process would look like this:

· prompts that start with the string Password: are handled by other PAM modules. Prompts that begin with thestring RADIUS: are handled by our PAM module. See the argument 'prompt=RADIUS' in the sample code above

· SMS - at the first prompt, a user must enter their AD password. At the second prompt, they must enter the text'sms' (without apostrophes). At the third prompt, they must enter their AD password. At the fourth prompt, theymust enter the received OTP

78

· Other type of OTP (OTP received via mobile application or a hard token) - enter the AD password at the firstattempt. At the second attempt enter the OTP.

Non-2FA users (user accounts not using 2FA)

When configuring the PAM module for ESA, remember to consider the experience for non-2FA users - for examplelocal Linux/Mac users as opposed to domain users.

Linux:

Using this configuration, a RADIUS server would fail authentication for local users unless the following code (orappropriate for your system) is added in /etc/pam.d/sshd (or the appropriate file for your PAM module):

auth sufficient pam_unix.so try_first_pass

This edit makes standard Unix authentication sufficient to log in, so any local user will be allowed after entering alocal password. To allow domain users whose accounts are not secured with 2FA, enable Active Directory Passwordswithout OTPs when configuring the RADIUS client in ESA Management Console.

Mac:

There is no default PAM module to authenticate local users as on Linux (see above). To achieve this, another PAMmodule must be used. In this guide, we chose to download a collection of modules for PAM and then build themodule by running the following commands in a terminal window:

./configure --disable-pgsql --disable-mysql --disable-ldaphomemake

make install

The next steps depend on whether 2FA integration is intended for use with desktop logins or non-desktop logins(for example ssh).

Mac non-desktop login integration:

http://puszcza.gnu.org.ua/software/pam-modules/download.html

79

· in the integration-specific /etc/pam.d/ file, add the following line before pam_radius_auth.so:

auth sufficient /usr/local/lib/security/pam_regex.so sense=allow regex=^user$

where user is a local username that we want to be allowed without the requirement of an OTP.

· make sure the default Mac modules (not added by us) are defined as "required" or "requisite", so that this added"sufficient" module does not cause a success if the first factor failed

· modules other than pam_regex from the collection of Modules for PAM may be used also. For example you coulduse pam_groupmember to allow groups of users instead of single users to log in.

Mac desktop login integration:

· change the /etc/pam.d/authorization file so it looks like this:

# authorization: auth account

auth sufficient /usr/lib/pam/pam_radius_auth.so

auth requisite /usr/local/lib/security/pam_regex.so sense=allow regex=^user$

auth optional pam_krb5.so use_first_pass use_kcminit

auth optional pam_ntlm.so use_first_pass

auth required pam_opendirectory.so use_first_pass nullok

account required pam_opendirectory.so

Those changes ensure that:

1. our RADIUS PAM module is listed first as 'sufficient'

2. our regex PAM module is the second as 'requisite'

3. other modules that were in the file before follow later

http://puszcza.gnu.org.ua/software/pam-modules/download.html

80

10. Web Application ProtectionThe ESA Web Application Protection module automatically adds 2FA into the authentication process of all supportedWeb Applications. The module will be loaded the next time the protected Web Application is accessed after ESA hasbeen installed.

Users will log in using the normal authentication process of the Web Application. After being authenticated by theWeb Application, the user will be redirected to an ESA web page and prompted for an OTP or prompted to approvethe push notification. The user will only be allowed access to the Web Application if a valid OTP is entered or thepush notification is approved.

The user's 2FA session will remain active until they log out of the Web Application or close their browser.

10.1 Configuration

The Web Application integration can be configured from the Components page of ESA Web Console. There you willsee the list of supported Web applications for which ESA has been installed.

The settings for the Exchange Server plugins, Outlook Web App and Exchange Control Panel, are global to thedomain. The settings for all other Web Application plugins are per server.

The 2FA protection can be enabled or disabled for each Web Application. The 2FA protection is enabled by defaultafter installation. The World Wide Web Publishing service will need to be restarted on all servers hosting the WebApplication for changes to this configuration option to be reloaded.

Allowing Non-2FA Users

The module can be configured to either allow or to prohibit users that do not have 2FA enabled from accessing theWeb Application through the Allow non 2FA configuration option.

This scenario occurs if the user is configured for neither SMS-based OTPs nor the Mobile Application and the WebApplication configuration option to allow non-2FA users to log in is enabled. The configuration option to allow non-2FA users defaults to being enabled after installation.

In this configuration, a user can log into the Web Application with their Active Directory password.

If the configuration option to allow non-2FA users is disabled, then the user will not be able to log into the WebApplication.

10.2 Usage

The same 2FA process is followed for all supported Web Apps.

The operation of the Web Application Protection module can be verified as follows:

1. A user that has ESA 2FA enabled in the ADUC management tool is required for testing. The user must also beallowed to access the Web App.

2. Open the Web App in a desktop browser and authenticate as normal using the Active Directory credentials of thetest user.

3. The ESA authentication page should now appear, as per the figure below. The Remote Desktop Web Accessplugin on Windows Server 2008 and the Microsoft Dynamics CRM 2011 plugin will not display the "Cancel"button.

4. The ESA authentication page should now appear, as per the figure below. The Remote Desktop Web Accessplugin on Windows Server 2008 and the Microsoft Dynamics CRM plugins will not display the "Cancel" button.

81

a. If the user is enabled for SMS OTPs, an SMS will be sent containing an OTP that may be entered toauthenticate.

b. If the user has installed the ESA mobile application on their phone, it may be used to generate an OTP toauthenticate. OTPs are displayed in the mobile application with a space between the 3rd and 4th digits inorder to improve readability. The Web Application Protection module strips whitespace, so a user mayinclude or exclude whitespace when entering an OTP without affecting authentication.

c. If the user has installed the ESA mobile application on their phone and is allowed to use both OTP and Pushauthentication, the screen will indicate approval of a push notification or prompt the user for an OTP.

Alternatively, the user can proceed to OTP authentication by taping Enter OTP.

5. If a push notification is approved or a valid OTP is entered, the user will be redirected to the page they originallyrequested. The user will then be able to interact with the Web App.

6. If the push notification is not approved in 2 minutes, the user will be redirected to a page requesting an OTP. Ifan invalid OTP is entered, then an error message will be displayed and the user will not be allowed access to theweb application, as per the figure below.

82

If you want a custom logo to be displayed in the screen waiting to enter OTP ,or approve a notification instead of thedefault ESET Secure Authentication logo, follow the steps below. All the steps are performed on the computerwhere the Authentication Server is installed.

1. Save the desired logo as a .png image file. Recommended maximum dimension is 350px x 100px (width xheight).

2. Place the logo to C:\ProgramData\ESET Secure Authentication\Customization\ and name it "logo.png".

83

11. Remote Desktop ProtectionThe ESA Remote Desktop Protection module adds 2FA into the authentication process of Remote Desktop users. Themodule will be loaded the next time a 2FA-enabled user attempts to use Remote Desktop to log in to a remotecomputer on which the Remote Desktop plugin of ESA has been installed.

Users will log in using the normal authentication process of Remote Desktop. After being authenticated by RemoteDesktop, the user will be prompted for an OTP. The user will only be allowed access to his or her computer if a validOTP is entered.

The user's 2FA session will remain active until they log out or disconnect from the Remote Desktop session.

ESA cannot protect RDP clients that do not provide username and password, meaning, if there is anRDP client that does not have the username and password configured and it does not even request ausername and password, then no OTP is going to be requested either.

11.1 Configuration in an Active Directory environment

To configure Remote Desktop 2FA for ADUC users, you must enable 2FA for the desired user(s). They must also beallowed Remote Desktop users.

In order to use Remote Desktop protection, RD Session Host must be configured to use SSL (TLS 1.0) or Negotiate.

To modify the settings on Windows Server 2008 or earlier, follow these steps:

1. Go to the Start menu > Administrative Tools > Remote Desktop Services > Remote Desktop Session HostConfiguration

2. In the Connections section, open RDP-Tcp3. Click the General tab4. In the Security section, the Security Layer setting must be set to SSL (TLS 1.0) or Negotiate

To modify the settings on Windows Server 2012, follow these steps:

1. Open Server Manager2. Click Remote Desktop Services from the left pane3. Open the Collections properties4. In the Security section, the Security Layer setting must be set to SSL (TLS 1.0) or Negotiate

84

11.2 Allowing Non-2FA Users

The module can be configured to either allow or to prohibit users that do not have 2FA enabled from logging in toremote computers with Remote Desktop Protocol.

This scenario occurs if the user is configured for neither SMS-based OTPs nor the Mobile Application and theRemote Desktop configuration option to allow non-2FA users to log in is enabled. The configuration option to allownon-2FA users defaults to being enabled after installation.

In this configuration, a user can log into the remote computer with their Active Directory password.

If the configuration option to allow non-2FA users is disabled, then the user will not be able to log into remotecomputers with Remote Desktop Protocol.

To change the module configuration navigate in ESA Web Console to Componensts, click RDP and the Computer listwindow will appear listing all computers where Remote Desktop Protection of ESA is installed.

11.3 Usage

The operation of the Remote Desktop Protection module can be verified as follows:

A user that has ESA 2FA enabled in the ESA Web Console, and has access to the remote computer, is required fortesting. In an Active Directory environment, a domain user that has ESA 2FA enabled and is added as an allowedRemote Desktop user on the remote computer, is required for testing.

A computer that has Remote Desktop Access enabled is also required.

1. Connect to the remote computer using a Remote Desktop client, and authenticate as normal using the logincredentials of the test user.

2. The OTP prompt screen should now appear, as per the figure below.

85

a. If the user is enabled for SMS OTPs, an SMS will be sent containing an OTP that may be entered toauthenticate.

b. If the user has installed the ESA mobile application on their phone, it may be used to generate an OTPto authenticate. OTPs are displayed in the mobile application with a space between the 3rd and 4thdigits in order to improve readability. The Remote Desktop Protection module strips whitespace, so auser may include or exclude whitespace when entering an OTP without affecting authentication.

c. If the user has installed the ESA mobile application on their phone and is allowed to use both OTP andPush authentication, the screen will indicate approval of the push notification. Alternatively the usercan proceed to OTP authentication by clicking Enter OTP.

3. If a valid OTP is entered, then the user will be granted access to the computer they attempted to connect to.

4. If an invalid OTP is entered, then an error message will be displayed and the user will not be allowed access tothe remote computer.

11.4 Remote Desktop Web Access

If you utilize 2FA protection of RDP on your server where Remote Desktop Web Access (RDWA) is hosted, defaultsettings require 2FA authentication for the launch of applications available in your RDWA.

This means, if a user tries to access your RDWA web site, the user is prompted for an OTP. Once the user provides avalid OTP, logs in and tries to launch an application available in your web site, the user will be prompted again toprovide an OTP.

If you do not want an authenticated user (used a valid OTP to enter your RDWA web site) to be prompted for an OTPwhen launching an application in your web site, take the following steps:

1. In the ESA Web Console navigate to Settings > IP Whitelisting.

2. Select the check-box next to Allow access without 2FA from:


86

3. Enter the localhost IP address: 127.0.0.1,::1 in the text box

4. Select the check-box next to RDP

5. Click Save.

If RDWA is hosted on a different machine than ESA Authentication Server, you must whitelist the IPaddress of the RDWA host.

To make sure that you whitelist the correct IP address, look it up in the Esa.Core.log log file located at C:\ProgramData\ESET Secure Authentication\Esa.Core.log.

1. Clear the content of the log file.

2. Attempt to log in to RDWA with a user account protected by 2FA.

3. In that log file search for "_RDWeb".

4. A few rows below you should see a row saying "Starting two-factor authentication for user: username with ip1.2.3.4" where "1.2.3.4" will be replaced with the real IP address of your RDWA host.

87

12. IP address whitelistingIf there are certain users for whom you want to grant access to Remote Desktop or Supported Web Applicationssecured by 2FA without the need to enter an OTP, you can whitelist their IP addresses. To do so, open the ESA WebConsole and navigate to Settings > IP Whitelisting.

Select the check box next to Allow access without 2FA from, define the appropriate IP addresses, select the servicesto whitelist and then click Save.

If your VPN is secured by 2FA utilizing and you want the users whose IP addresses you whitelisted to be able toaccess your VPN without an OTP, the following criteria must be met:

§ in the configuration of RADIUS client for VPN Type select VPN validates AD username and password and select thecheckbox next to Active Directory passwords without OTPs

§ make sure the user the whitelisted IP address belongs to does not have any 2FA options enabled - see usermanagement

If these criteria are met, the user can access the VPN without entering a password or using the word none aspassword

Do not confuse Remote Web Access with Remote Desktop Web Access.

https://technet.microsoft.com/en-us/library/jj628148.aspx


88

13. AD FSESA is a great choice for security if you are using Active Directory Federation Services (AD FS) 3 or 4 and want tosecure it with 2FA.

During the installation of ESA on the computer running AD FS 3 or 4, select the AD FS 3 or 4 component and completethe installation.

https://msdn.microsoft.com/en-us/library/bb897402.aspx

89

During the installation of AD FS configuration is modified - the ESET Secure Authentication authentication method isadded and if no location is specified both Intranet and Extranet locations will be included. The image below showsthe configuration changes with the Intranet location selected prior to installation of the AD FS 3 or 4 component ofESA.

Once the installation is complete, open the ESA Web Console, navigate to Components, click ADFS and you will seethe 2FA is enabled and Allow non 2FA options enabled.

90

If a website requiring authentication verifies the identity against AD FS 3 or 4, and 2FA protection through ESA isapplied to the particular AD FS 3, you will be prompted to enter an OTP or approve the push notification uponsuccessful verification of identity:

OTP required (on the left); Approval of push notification required (on the right)

If you want a custom logo to be displayed in the screen waiting to enter OTP ,or approve a notification instead of thedefault ESET Secure Authentication logo, follow the steps below. All the steps are performed on the computerwhere the Authentication Server is installed.

1. Save the desired logo as a .png image file. Recommended maximum dimension is 350px x 100px (width xheight).

2. Place the logo to C:\ProgramData\ESET Secure Authentication\Customization\ and name it "logo.png".

91

14. APIThe ESA API is a REST-based web service that can be used to easily add 2FA to existing applications.

In most web-based applications users are authenticated before being granted access to protected resources. Byasking for an additional authentication factor during the logon process, such applications can be made moreresilient to attack.

The full API documentation for developers is available on the same URL address as ESA Web Console, but followedby "/apidoc" without quotation marks. For example, if the ESA Web Console is available at https://120.0.0.1:8001/,the API documentation is available at https://127.0.0.1:8001/apidoc

What is new in API for ESET Secure Authentication 2.7

· Managing ESET Secure Authentication settings

· More authentication options: MRK, whitelisting, Push Authentication

· Support of user realms: users from another domain, non-domain users

14.1 Integration Overview

The API consists of two endpoints , which are both called by POSTing JSON-formatted text to the relevant API URLs.All responses are also encoded as JSON-formatted text, containing the method result and any applicable errormessages. The first endpoint (the Auth API) is for user authentication and the second endpoint (the ManagementAPI) is for user management.

The API is available on all servers where the Authentication Core component is installed and runs over the secureHTTPS protocol on port 8001, unless you changed the port during installation of Authentication Server.

The authentication API is available on URLs of the form https://127.0.0.1:8001/auth/v2/ and the Management API isavailable on URLs of the form https://127.0.0.1:8001/manage/v2/. Both endpoints are protected from unauthorizedaccess via standard HTTP Basic Authentication, requiring a valid set of API Credentials before processing anyrequest.

The ESET Secure Authentication installer automatically uses an appropriate SSL security certificate installed on themachine, or generates a new self-signed certificate if another cannot be found.

https://120.0.0.1:8001/

https://127.0.0.1:8001/apidoc

92

14.2 Configuration

The API is disabled by default and must be enabled before use. Once enabled, API credentials must be created toauthorize requests.

Enabling API and configuring API credentials in ESA Web Console

1. Launch the ESET Secure Authentication Web Console and navigate to the Settings > API Credentials.

2. Select the Enabled check box. Save the changes.

3. Click the Add Credentials action to create a new set of credentials.

Enter the desired name, select the Auth API or Management API check box or both. Click Save.

4. The account ID and password displays.

Be sure to save the password securely, it cannot be displayed again.

Enabling API and configuring API credentials in MMC Console

1. Launch the ESET Secure Authentication Management Console and navigate to the Advanced Settings node foryour domain.

2. Expand the API section and check the API is enabled check box. Save the changes.

3. Open the standard Windows Services Console and restart the ESET Secure Authentication Core service for thechange to take effect.

4. Navigate to the newly visible API Credentials node for your domain.

5. Click the Add Credentials action to create a new set of credentials.

6. Double-click on the newly created credentials to get the username and password that are to be used for APIauthentication.

93

7. Check the Enabled for Auth API check box, the Enabled for User Management API check box or both.

Many sets of API credentials may be created. It is recommended to create different sets for eachapplication being protected, as well as for testing.

If the API is enabled, all servers with the Authentication Server component installed will respond toauthorized API requests after they are restarted. There is no need to restart the ESACore servicewhen credentials are created or deleted.

14.3 Replacing the SSL Certificate

The API utilizes an SSL certificate to secure API communications from eavesdropping. The installer automaticallyselects an appropriate certificate installed on the machine, or generates a new self-signed certificate if anothercannot be found.

This section explains how to replace the certificate with another of your choosing. It will first help you to importyour new certificate into Windows, and then use it for ESA.

Prerequisites

In order to follow this guide you will need:

· An installation of the ESA Authentication Server component

· Administrator access to the computer where ESET Secure Authentication is installed

· The SSL certificate you wish to use in PKCS12 format (.pfx or .p12)

o The certificate file needs to contain a copy of the private key as well as the public key

The ESA Authentication API does not have to be enabled in order to replace the certificate.

Importing the New Certificate

The new certificate needs to be placed in the Local Machine\Personal store before it can be used.

1. Launch the Microsoft Management Console (MMC):

a. Start -> Type “mmc.exe” and press the Enter key

2. Add the Certificates snap-in:

a. Click File -> Add/Remove Snap-in

b. Select Certificates from the left-hand column

c. Click the Add button

d. Select Computer account

e. Click Next

f. Select Local computer

g. Click Finish

h. Click OK

94

3. Optionally save the snap-in for future use (File -> Save).

4. Select the Certificates (Local Computer) -> Personal node in the tree.

5. Right-click -> All tasks -> Import....

6. Follow the Import Wizard, taking care to place the certificate in the Personal certificate store location.

7. Double-click the certificate and make sure the line You have a private key that corresponds to this certificate isdisplayed.

Replacing the ESA Certificate

The ESACore (Authentication Server) service will not start up without a certificate configured. If youremove the certificate, you must add another before the ESACore service will run correctly.

qDetermine the correct certificate to use

1. Open the MMC Certificates Manager using the steps above.

2. Find the certificate you wish to use in the Personal folder and double-click it.

3. Make sure you see You have a private key that corresponds to this certificate on the General tab.

4. On the Details tab, select the Thumbprint field.

5. The certificate thumbprint is displayed in the bottom pane (sets of two hex digits separated by spaces).

qWindows Server 2008+

1. Click Start -> Type “cmd.exe”.

2. In the list of programs, right-click the cmd.exe item and select Run as administrator.

3. Type “netsh http show sslcert ipport=0.0.0.0:8001” and press the Enter key.

4. Copy and paste the Certificate Hash field somewhere safe, in case you want to re-add the existing certificate.

5. Type “netsh http delete sslcert ipport=0.0.0.0:8001” and press the Enter key.

6. You should see SSL Certificate successfully deleted.

7. Type “netsh http add sslcert ipport=0.0.0.0:8001 appid={BA5393F7-AEB1-4AC6-B759-1D824E61E442}certhash=<THUMBPRINT>”, replacing <THUMBPRINT> with the values from the certificate thumbprint withoutany spaces and press the Enter key.

8. You should see SSL Certificate successfully added.

9. Restart the ESACore service for the new certificate to take effect.

95

15. Auditing and Licensing

15.1 Auditing

ESA records audit entries in the Windows event logs - specifically the Application log in the Windows Logs section.The Windows Event Viewer can be used to view the audit entries.

Audit entries fall into the following categories:

· User auditing

o Successful and failed authentication attempts

o Changes to 2FA state, for example, when a user account becomes locked

· System auditing

o Changes to ESA settings

o When ESA services are started or stopped

The use of the standard Windows event logging architecture facilitates the use of third-party aggregation andreporting tools such as LogAnalyzer.

15.2 License Overview

Your ESA license has three parameters:

· User Total

· Expiry Date

· SMS Credits

The details of the license are obtained from the ESET Licensing system, and the ESA system automatically checks forlicense validity.

The ESA Provisioning server may perform license enforcement by limiting SMS OTPs and user provisioning. Inaddition, the ESA authentication server performs license enforcement by limiting user management actions and (inextreme cases) disabling user authentication.

Warnings are communicated to the ESA Administrator in the Dashboard section of ESA Web Console.

The full license state is displayed in the License tile. This will include the overall state of the license as well as thedetails of usage (user numbers, remaining SMS credits, remaining license days).

15.3 License States

The full license state is displayed in the License tile in the Dashboard screen of ESA Web Console. Review thefollowing ESA server license states:

· OK: All license parameters are within the prescribed limits

· Warning: At least one license parameter is close to the allowed limit

· SMS Credits Expired: SMS credits have run out and no OTP or Provisioning SMSes will be sent.

· Violation (full functionality): One of the licensed parameters has exceeded allowed limits, but no enforcement isimposed

· Violation (limited functionality): A license parameter has been exceeded for more than 7 days, certain usermanagement functions are disabled

96

· ESA Disabled: The ESA license expiry date has passed more than 30 days ago and authentication is disabled. In thiscase all authentication calls will fail, will lock out all authentication until ESA is uninstalled, disabled by the adminor re-licensed.

Details of License States

The following table summarizes how each of the license parameters may cause the license to be in one of thewarning or error states listed above.

WarningSMS Creditsdepleted

Violation (fullfunctionality)

Violation (limitedfunctionality)

ESA Disabled

LicenseExpiry

less than 30 daysbefore expiration

N/ANo more than 7 daysafter expiration

more than 7 days afterexpiration

more than 30 daysafter expiration

User countless than 10% or 10seats available,whichever is lowest

N/AActive users exceedlicensed users

more than 7 days afteractive users exceedlicense

Never

SMS Credits

less than 10 SMScredits remaining(Onboarding + Top-up)

0 SMS creditsremain

Never Never Never

15.4 License Enforcement

The following table describes how license enforcement is performed on the ESA authentication server. In all cases,an administrator will be able to disable ESA authentication for a subset of the users (by disabling 2FA for thoseusers) or for all users (by means of system configuration or uninstalling the product).

OK Warning SMS Creditsdepleted

Violation (fullfunctionality)

Violation (limitedfunctionality)

ESA Disabled

Enable Users for2FA

Allowed Allowed Allowed Allowed Disabled Disabled

Provision Users Allowed Allowed Disabled Allowed Disabled Disabled

Authenticatewith SMS OTP

Allowed Allowed Disabled Allowed Allowed Disabled

Authenticatewith mobile app(OTP, Push)

Allowed Allowed Allowed Allowed Allowed Disabled

Authenticatewith hard token

Allowed Allowed Allowed Allowed Allowed Disabled

Manage systemconfiguration

Allowed Allowed Allowed Allowed Allowed Allowed

Disable Users for2FA

Allowed Allowed Allowed Allowed Allowed Allowed

97

16. High Availability ViewWhen utilizing the Active Directory Integration deployment type in an AD environment, all installed servers aredisplayed in the Servers tile of the Dashboard screen in the ESA Web Console. When more than one core service isdetected on the network, all servers are displayed.

Each ESA Authentication Service that gets installed on the domain registers itself in AD DNS using an SRV record (as_esetsecauth._tcp). When an endpoint (such as a web application or a VPN appliance) begins authentication, it firstchecks its internal list of known servers. If the list is empty, it performs an SRV lookup. The SRV lookup will return allAuthentication Servers on the domain. The endpoint then chooses an Authentication Server to connect to. If theconnection fails, it selects another server from the list and attempts to connect again.

If network redundancy is a concern when protecting your VPN with ESA, it is recommended to configure primary andsecondary RADIUS authenticators on your VPN appliance. You should then install two ESA RADIUS servers on yournetwork, and configure them accordingly.

98

17. TroubleshootingIf you experience installation or system issues with ESET Secure Authentication, and you have a case open with ESETTechnical Support, you may be asked to provide logs from your computer.See our guide on collecting logs:https://support.eset.com/kb6845/

99

18. GlossaryAD - Active Directory

ADI - Active Directory Integration

ADUC - Active Directory Users and Computers management interface

COS - Client operating system

ESA - ESET Secure Authentication

ESA component - Windows Login plugin, Remote Desktop plugin, Web App plugin

ESA core - Authentication Server that verifies the validity of an entered OTP.

GPO - Group Policy Object

MRK - Master recovery key

Online (Online mode) - A machine where the core components of ESA (at least the Authentication Server) areinstalled and the ESET Secure Authentication Service service is running. Available via TCP/IP connection.

Offline (Offline mode) - A machine where the core components of ESA are installed, the ESET Secure AuthenticationService service is not running on that machine, or connection via TCP/IP is not available.

OS - Operating System.

OTP - an one time password with limited time validity

Mobile Application Push - push notification with limited time validity

RDP - Remote Desktop Protocol. A proprietary protocol developed by Microsoft which provides a user with a graphical interfaceto connect to another computer over a network connection.

SOS - Server operating system

https://msdn.microsoft.com/en-us/library/bb742376.aspx

ESET Secure Authentication · · The ESA RADIUS Server adds 2FA to VPN ... · Windows Server 2008...

Documents

Transcript of ESET Secure Authentication · · The ESA RADIUS Server adds 2FA to VPN ... · Windows Server 2008...